October is National Cyber Security Awareness Month. I am hoping you will join me in a national program to kill cybersecurity awareness training programs. I don\u2019t know who came up with the concept of \u201csecurity awareness training\u201d, but it has reached the end of its utility and should be replaced with something else. Is all we want is for users to be \u201caware\u201d of security issues? Don\u2019t we want them to be educated enough to be active parts of the solutions?\n\nI looked into the history of \u201csecurity awareness training\u201d. Did we inherit it from the pioneers?\n\nI re-read \u201cEstablishing a Data Processing Security Program\u201d, by William H. Murray, dated 1981. He gives management responsibility for \u201cemployee education and awareness\u201d. No awareness training. Then I re-read "Fighting Computer Crime" (1998), by another pioneer, Donn Parker. He recommends creating \u201cawareness and motivation for information security by tying security to job performance\u201d, but no \u201cawareness training\u201d.\n\n[ ALSO ON CSO: Is your security awareness training program working? ]\n\nThen I re-read CSO blogger Michael Santarcangelo\u2019s book "Into the Breach" (2008). Interestingly, this book does not contain the phrase \u201cawareness training\u201d. Awareness is discussed, but in the context of changing user behaviors. Isn\u2019t this what we really want from users? Just being aware is no longer enough when technology is an integral part of everyone\u2019s work and personal lives. We need to replace awareness with education.\n\nThe goal of educating users about security is to facilitate an organizational change, so that security is part of the company culture. This only happens through a step by step managed process. You can learn more about the steps by reading John Kotter\u2019s book, "Leading Change" (2012). The processes needed to make this change occur have been analyzed by management researchers, so we don\u2019t need to reinvent the wheel. One model that I like, for both simplicity and comprehensiveness, is the Star Model from Jay Galbraith.\n\nThis model emphasizes that five processes need to be implemented simultaneously in order to implement change. Obviously you need a security strategy. You also need to assign roles and responsibilities in the security structure. This needs to include the whole organization, not just the office of the CISO. You need processes, and supporting technology. Galbraith also includes carrots (as well as the implicit sticks) to motivate people. Finally, we have the people process: training and educating all staff to influence employee mind-set and skills around information security. Awareness training alone will not be enough to facilitate an organizational change. We need to enable our users to learn about security and how to use it in their jobs.\n\nI know most security professionals are busy meeting compliance requirements, dealing with incidents and trying to keep up with technology and threats. However, we also need to keep an organizational change model in the back of our minds. If we don\u2019t learn how to educate our users, I am afraid we will not get off of the security cycle of pain.